We've been here before. Asking "security" questions based on easily discoverable or guessable answers is no longer a good idea for general consumer access, but for administrative access? You're really protecting super-user privileges by asking for their favorite ice cream flavor? (A major telco used that protection and discovered vanilla is awfully popular. And one gang last year specialized in basic research, including "everything from Social Security number to oldest sibling's nickname and city where the victim was married.")
(Related Story: Visa Kicks Global Payments Off Its PCI Compliant List. Catch-22 Is In Full Force.)
Before we delve into the lack of security with KBA, let's quickly review the preliminary Global Payments details. The first report came from Krebs On Security and pointed to Visa/MasterCard alerts "warning banks about specific cards that may have been compromised. The card associations stated that the breached credit-card processor was compromised between Jan. 21, 2012, and Feb. 25, 2012. The alerts also said that full Track 1 and Track 2 data was taken—meaning that the information could be used to counterfeit new cards."
Krebs and Litan both reported that activity seemed to be focused on parking garages in the New York City metro area. (Litan added that cyberthieves initially seemed to be "a Central American gang.") No initial info suggested that any major retailers were identified as a common point of purchase, which really makes this appear to be a pure Global Payments headache.
Global Payments issued its own statement Friday (March 30) that it had "identified and self-reported unauthorized access into a portion of its processing system."
But a quote in that statement from CEO Paul Garcia, intended to be reassuring, was anything but. Quoth Garcia: "It is reassuring that our security processes detected an intrusion. It is crucial to understand that this incident does not involve our merchants or their relationships with their customers."
Let's take this one frightening sentence at a time. Although it's nice Garcia is reassured that the company detected the intrusion after the fact—after potentially more than 10 million card numbers were grabbed—it's safe to say that retailers would have been a heck of a lot more reassured had Global Payments prevented the intrusion instead. Or maybe stopped it after 8,000 or even 80,000 instances. Heck, even 800,000 or 8 million would have been an improvement.Secondly, Garcia's comment that "it is crucial to understand that this incident does not involve our merchants or their relationships with their customers" is either stunningly naïve (quite unlikely) or deliberating misleading. Is Garcia honestly suggesting that a 10 million card breach "does not involve" a department store's "relationship" with its payment-card-using shoppers?
Consumers don't know Global Payments. All they know is the card brand, their bank and the retailer. When a breach happens, they begin to suspect all of the above.
History has shown overwhelmingly that U.S. shoppers have never stopped—or even slowed—purchases because of a major breach. But that's not to say that as consumers better understand these issues and, critically, continue their move to debit cards and away from credit cards (where they lose the zero-liability credit-card protections), those fears won't start translating into action.
Such breaches could also impact young markets, such as mobile payments, where fear of the unknown coupled with major breaches could slow a market that is already stumbling.
If Global Payments meant to say that it will protect retailers from fraud losses, it should have said that. But to say that this breach "doesn't involve merchants or their relationships with their customers" simply doesn't pass the laugh test.
That all said, let's get back to Litan's KBA thoughts.
Litan pointed out the absurdity of such security defenses in 2012 and said, "we can expect the PCI assessors to say no to KBA on administrative accounts. They need to say no to many different types of authentication that are being successfully bypassed by determined crooks."
Unfortunately, I doubt that we can expect this. Just because QSAs should be forbidding KBA tactics for anything sensitive doesn't mean they will. By the way, if something is sensitive enough to need protection, it would seem sensitive enough to need good protection. Hence, should KBAs be used at all?
QSAs are not likely to start fighting against KBAs until the PCI Council comes out with some strong language discouraging—if not outright banning—their use for anything that even gets close to payment card data. The council doesn't have the jurisdiction to say anything about security that is not related to payment cards, but I am hoping that QSAs would take the logical next step. If not, retailers will hopefully make that move directly.
One low-cost and low-disruption response is to make KBAs more difficult. Instead of asking for something easily discoverable—such as your last residential ZIP code—why not seek the name of your third-grade science teacher? Or what you had for breakfast three days ago?
Simple answer: The more difficult to remember the answer is, the more likely the consumer will just make something up, as in "Mrs. Smith" or "cereal." And we're back into the "easily guessable" trap.
Shoppers will opt for the easy way out, using the same password for many accounts, writing it down near their computer (or in a text file on their phone) or something that is easy to remember (12345, password or iloveyou anyone?). The only secure mechanism is for the system to issue strong passwords and to also use secondary authentication. (Let's say it all together: Something you know, something you have, something you are.)